Wednesday, 28 May 2014

Continued after Part 1...The Willy Report: proof of massive fraudulent trading activity at Mt. Gox, and how it has affected the price of Bitcoin

At this point, I noticed that the first Willy account (created on September 27th) unlike all the others had some crazy high user ID: 807884, even though regular accounts at that point only went up to 650000 or so. So I went looking for other unusually high user IDs within that month, and lo and behold, there was another time-traveller account with an ID of 698630 – and this account, after being active for close to 8 months, became completely inactive just 7 hours before the first Willy account became active! So it is a reasonable assumption that these accounts were controlled by the same entity. Account 698630 actually had a registered country and state: “JP”, “40″ – the FIPS code for Tokyo, Japan. So I went and compiled all trades for this account. For convenience, I will dub this user “Markus”. Its trades are as follows:

There were several peculiar things about Markus. First, its fees paid were always 0 (unlike Willy, who paid fees as usual). Second, its fiat spent when buying coins was all over the place, with seemingly completely random prices paid per bitcoin. For reference, Markus is the “Glitch in the System” user in this excellent Gox DB visualization (on that note, all of the Willy accounts are the “Greater Fools” with just big green blotches around Oct-Nov). Upon further inspection of the log, it became clear what was the cause of these seemingly random values:

In this table, the first two trades (buy/sell pairs) are by some regular user with ID 238168. In the second trade, this user buys 0.398 BTC for $15.13. The next trade is some large market buy by Markus (ID 698630): note how the “$15.13″ value from the previous trade seems to “stick”; regardless of the volume of BTC bought, the value paid is always $15.13. This is speculation, but perhaps for Markus, the “Money” spent field is in fact empty, and the program that generates the trading logs simply takes whatever value was already there before. In other words, Markus is somehow buying tons of BTC without spending a dime. Interestingly, Markus also sells every now and then, and for some reason the price values are correct this case. His biggest sell occurred on June 2nd. I’ve analyzed these trades separately here:

Sell 31k BTC, receive $4 million, re-buy 15k BTC, spend nothing. Awesome! Here is the corresponding chart for this day, just to show that these trades (from 8:00 to 10:00 am) actually occurred “on-market”, and had a significant effect on the price.

Another net ~300,000 BTC bought. Combined with Willy’s buys, that’s around 570,000 BTC in total. Although there are no trading logs after November, Willy was observed by multiple traders to be active for the most part of December until the end of January as well. Although this was at a slower, more consistent pace (around 2000 BTC per day), it should roughly add up to another 80,000 BTC or so bought. So that’s a total that’s suspiciously close to the supposedly lost ~650,000 BTC.

So… hacker, or inside job?

At this point, I guess the straightforward conclusion would be that this is how the coins were stolen: a hacker gained access to the system or database, was able to assign himself accounts with any amount of USD at will, and just started buying and withdrawing away. This is in line with what GoxDox.org reported last month (they leaked the Sunlot court filing, so clearly they have some inside info). After all, the constant creation of new Willy accounts seems almost intended to avoid detection. Unverified BTC withdrawals may have been possible until late 2013 (I could not find any exact data on this), or perhaps the “??” location values in the database (unlike the usual empty or “!!” values for unverified users) were able to fool the system into thinking this user was verified. However, there are a lot of things that don’t add up with this theory; in fact there is a ton of evidence to suggest that all of these accounts were controlled by Mt. Gox themselves.

First, the obvious: Markus has Tokyo, Japan as its registered location. But any hacker could edit a DB entry to try and frame someone (or even be located in Tokyo, however unlikely). However, none of the Willy accounts until November appear in the leaked balance summary at the time of collapse, and there seem to be no corresponding withdrawals for those amounts of bitcoin bought. Markus does have a balance: around 20 BTC and small amounts of EUR, JPY and PLN. No USD balance. In other words, only currencies for which Mt. Gox actively controlled bank accounts.

The next piece of evidence is perhaps more convincing. For some months in 2013, there were two versions of trading logs in the leaked database: a full log, and an anonymized log with user hashes and country/state codes removed. For April 2013, there was a .zip file which contained one such anonymized log – this is speculation, but one use of this may have been to send off to auditors/investors to show some internals. Upon closer inspection, it turns out the full and anonymized versions of all the logs differ in two, and ONLY two ways:

User hashes and country/state codes are removed.

Markus’ out-of-place user ID (698630) is changed to a small number (634), and its strange fixed “Money” values are corrected to the expected values.

Interesting detail: from the 2011 leaked account list, the user with ID 634 has username “MagicalTux”. Compare these two tables:

The “fixed” file has an earlier creation date than the full log, so it could not have been a reporting bug that was fixed later. Everything points to these values having been manually edited, presumably to erase traces of suspicious activity. Although another possibility is that it is actually the other way around – the correct log with earlier creation date was the original, and all other logs have been altered to a different ID not traceable to MagicalTux to cover up fraud in a very lazy way (by setting all Money spent to whatever was the last trade), and someone forgot there was still a zip file lying around with the unaltered data.

Another thing: Willy seemed to be immune to network downtime.

The latest four trades displayed in the bottom-right corner showcase Willy’s typical trading activity observed from December onwards: a 10-20 BTC buy every 5-10 minutes. At a time no one else was able to trade, be it via API or otherwise, Willy was somehow able to continue as if nothing ever happened. This makes it likely the bot was being run from a local Mt. Gox server. It is not impossible that a hacker was able to install some kind of rootkit on Mt. Gox’s servers and ran the bot from there, but that seems extremely unlikely.

Before Markus

Of course, I was curious to see if the April 2013 bubble was just as fake as the November 2013 bubble was (as should be evident from the above data, and the more detailed price analysis below). Although I could find no clear single buy bot active during the February-April run up (Markus bought a significant amount of coins, but not enough to sustain the prolonged rally), there was still tons of suspicious activity in the log. When browsing through the trading data sorted by user ID, I noticed a huge number of active “Japan” users with very low user IDs (<1000). None were paying fees. Odd to say the least, so I investigated further. Turns out a lot of these trades followed a very distinct pattern, and were unlikely to have been executed by their original account holders, but rather these accounts were “hijacked” in some way. The image below shows an example of this pattern:

First, a user with ID 179200 (highlighted; it is always this user as far as I can tell) buys some very exact amount of JPY worth of BTC (in this case JPY 24000) from regular users. Immediately after, a mysterious low-ID JP user also buys up some exact amount of JPY worth of BTC (always several times more than what user 179200 bought). This happens over and over again, for different low-ID users. But here’s the interesting thing: the user _hashes_ for these low ID JP users do not add up with the user hashes of the original account holders. Look at this:

The data is sorted by user ID. Highlighted is the likely original, legit user making a legit trade. The hash is different from the fraudulent user (who has “JP” as region and does not pay fees). This rules out that these were inactive accounts being liquidated (the Mt. Gox terms of service stated they had the right to close accounts inactive for longer than 6 months). And as I said, these werenotisolated cases. The first incidence seems to have been on August 9th, 2012, 08:54:58 GMT. These users were especially actively buying until April 2013, probably tens if not hundreds of thousands of coins (I haven’t analyzed that far) although sometimes selling (for JPY) as well. From May 2013 they became less active (to the point of insignificance for price movement), buying smaller amounts until July or so, when they start selling more than buying. The activity continues until the end of the data (November 2013).

Interestingly, there was a post by MagicalTux on bitcointalk.org about him finding and fixing a bug, at a point in time about five hours after the first incidence of this phenomenon. And as it happens, most of these “hijacker” user hashes appear in the final balances file; all have only some very small JPY balance. So they at least satisfy the first two conditions for triggering the bug explained in that post. There is a possibility that the bug was not fully fixed and that this activity was an exploit of it.

After Willy – Speculation

Since there are no logs past November 2013, the following arguments are largely based on personal speculation, and that of other traders, with less hard evidence attached to them. Take them however you will. I’m sure a lot of this will be proven wrong, but hopefully it will give some insight into what transpired in Mt. Gox’s final days.

Based on my own personal observations, Willy continued to be active until January 26th: buying up 10-20 BTC every 5-10 minutes, for around 100 BTC per hour. It was not active all the time, but the majority of it. January was when things truly went awry for Mt. Gox; more and more withdrawals were getting stuck, and faced with information that JPY withdrawals (which had been instant until that point) were also getting unreasonably delayed, people began panic-buying their way out of Gox. Combined with Willy still being active, this caused the spread between Gox and other exchanges to get completely out of hand. At the pinnacle of it, on January 26th, Willy suddenly became inactive – and with it, the price retraced back to a more reasonable spread with the other exchanges. Shortly after – on February 3rd to be precise – it seemed as if Willy had begun to run in reverse, although with a slightly altered pattern: it seemed to sell around 100 BTC every two hours. The hourly chart shows this quite well; there was almost no other trading volume for two days straight, so we saw a very straight declining slope on the chart.

It didn’t take long for reverse-Willy to increase its pace. More than likely, the entire dump down to double digits was the handy work of this dumping bot. Peter R, another trader, came to the same conclusion independently from me in his excellent analysis that may just be very close to the truth. It would be one explanation for why none of the Willy accounts had a final balance despite all of their buying and no trace of BTC withdrawals: they were all dumped back on the market. The volume numbers seem to roughly match up. Where did the fiat go then? Into Mt. Gox’s reported fiat assets, possibly. You may remember they all but halted JPY withdrawals in early January, yet somehow cleared ALL pending JPY withdrawals the day they shut down in late February. This proves their original reason for the delays (currency conversion issues) were BS; they simply had no fiat left. Yet somehow they had enough fiat for withdrawals the day they shut down, which was after the dumping already started. But, again, speculation.

There’s some additional evidence on the chart that a dump bot may have been at play. At several points in time, starting from Feb. 18th, it seemed that some bot was programmed to sell down to various fixed price levels. The most obvious cases are shown in these images.

From Feb. 18th (top) and from Feb. 19th (bottom): every time someone put a bid at or above USD $248.15 and $261.2239, respectively, it would get dumped into at most a few minutes later (see e.g. this post from someone who noticed the same thing). These seem like random price-points at first, but at that point in time, $248.15 corresponded toexactly JPY 26000,

and $261.2239 corresponded to exactly EUR 195.

But here’s the kicker: NONE of the sell dumps were performed in their respective currency pairs; ALL were in USD. It suggests that whoever was selling (1) had some way to convert USD to JPY/EUR in a frictionless way, and/or (2) needed these currencies to be at a fixed price for some reason. After reading this log about possible insider trading from anarchystar, who is closely involved in the Mt. Gox legal proceedings, (2) may in fact have been the purpose: perhaps Mt. Gox was offering a fixed buy-in price for JPY or EUR-based investors. In either case, only Mt. Gox executing these sell trades makes sense. Furthermore, in an IRC log where someone was impersonating MagicalTux by hijacking his nick, Charlie Shrem asks if he needs some liquidity. This was at a time withdrawals were already halted. Clearly, Mt. Gox was accepting fiat injections – it seems reasonable to assume this liquidity came in the form of cheap BTC being bought.

Additional factoid: a month or two ago, someone put up a site that aggregated the data from the leaked DB and allowed one to traverse the data easily, with rankings for best and worst traders, etc. One page of it is archived here. It had the (undoubtedly ironically intended) domain name “mark-karpeles.com”. It seems the site was fairly quickly removed, and “mark-karpeles.com” now redirects directly to the official mtgox.com.Barring an unlikely sudden change of heart by the creator from trying to expose fraud at Mt. Gox to supporting it, somebody may have threatened legal action or paid big bucks to get it under their control. In other words, someone was pretty desperate to prevent the data from becoming public. Update: the owner of mark-karpeles.com removed the site because he was being threatened. This was written in the pastebin that mark-karpeles.com points to since May 26th, which is now also removed.

The Effect on the Bitcoin Price

So how did all of this trading activity affect the price of Bitcoin as a whole? The answer is, unfortunately, enormously. I will be placing some historical charts from bitcoincharts.com along the Markus and Willy trade data where buying was most aggressive, which is basically from 15:14, July 28th, 2013 until the end of November. You can double-check exactly when and how many coins were bought using the logs near the top of this report, and/or match them against historical trading data from Mt. Gox’s public API. All of these trades actually occurred.

The huge volume spike on July 28 15:14 is where the big buying starts. 15,000 coins get bought in the span of 30 minutes. According to the trade data, buying continues until the 31st, 15:55. After a four day pause, there’s some small buying on August 5th, but it really picks up again on the 12th at 21:32. Buying continues on-and-off, with some large spikes especially on the 19th, 27th and the 30th, where ten of thousands of coins are bought. Basically, all the huge green volume spikes in the above chart are the handiwork of Markus, and Markus alone.

Something for the TA people:

Note the date, which is the moment we broke the post-April bubble downtrend.

In September, a few thousand coins were bought on the 2nd and 3rd, and then nothing until a lot was bought on the 9th, then on the 11th through early 13th. In the period of inactivity, the price finally got the chance to correct from an overbought condition. Unsurprisingly, price rose again when Markus resumed buying, then started falling again when Markus stopped on the 13th. There was no activity from Markus until late 26th/early 27th, where Markus made his final buys before handing the baton over to Willy, who would in turn continue aggressive, but much more constant, buying until early October 1st. Again, the price reflected this activity perfectly.

Then came October, with the Silkroad shutdown crash on the 2nd. Price was flat for a while – because Willy did not become active until 10-10-2013 0:49. Now, unlike Markus, Willy’s buying was a lot more spread out over time. Markus was active sporadically, buying thousands or tens of thousands of coins in bursts, whereas Willy was active almost constantly, (at first) buying anywhere from 1 to 50 BTC at ~5-10 minute intervals. But even Willy would sometimes have gaps of inactivity (usually a day or less). These show up nicely in the chart. Willy was not active for most of the 15th and not active for about 14 hours on the 22nd. Price goes flat in these intervals. On 24-10-2013 14:24, Willy becomes inactive for exactly a week, until 31-10-2013 14:44. As though perfectly timed, price crashes and growth stagnates.

Finally, November. Willy continues buying at its ~1-50 BTC per ~5-10 minutes rate until 5-11-2013 7:48. From 5-11-2013 10:53, Willy ups the ante – ~10-100 BTC is now bought at ~5-10 minute intervals, with many bursts of hundreds or thousands of BTC being bought at once. This continues non-stop until 9-11-2013 16:51. Willy becomes inactive for two days. Price crashes as if on cue. From 11-11-2013 14:04, Willy is back at its original pace, with occasional 100-1000+ BTC buys, until 16-11-2013 13:31.

Short Willy inactivity until 17-11-2013 2:57, with inevitable growth stagnation. Then relatively stable buying until 23-11-2013 8:35. A day of inactivity, cue price decline. Re-acivation on 24-11-2013 9:16. Cue price growth. The 100-1000+ BTC buy bursts finally end on 28-11-2013 15:10, where Willy enters its final stage that we all recognized (~10-20 BTC every ~5-10 minutes). The reduced activity causes growth stagnation. And we all know what happened next.

In closing

I want to make clear that this report is not intended to make accusations, but rather to show the facts that can be extracted from the information that is available to the public, and stipulate that there is more than plenty of evidence to suspect that what happened at Mt. Gox may have been an inside job. What I hope to achieve by releasing this analysis into the wild is for the public to learn the truth behind what happened at Mt. Gox, how it affected the Bitcoin price, and hopefully for the individuals responsible for the massive fraud that occurred at Mt. Gox to be put to justice. Although the evidence shown in this report is far from conclusive, it can hopefully spur a more rigorous investigation into Mt. Gox’s accounting data, both by the public (using the leaked data) and the authorities (forensic investigation on the actual data).

It needs to be recognized that, whether intentional or not (though plausible ignorance only goes so far), Mt. Gox has effectively been abusing Bitcoin to operate a Ponzi scheme for at least a year. The November “bubble” well into the $1000′s – and possibly April’s as well – was driven by hundreds of millions of dollars of fake liquidity pumped into the market out of thin air (note that this is equivalent to “with depositors’ money”). It is only natural that the Bitcoin price would deflate for around 5 months since its December peak, since there was never enough fiat coming in to support these kind of prices in the first place.

In the interest of full disclosure: I’ve known of everything I wrote in this report since basically a day after the database was leaked, well over 2 months ago. I’m sure there are at least some other people that knew about it – I mean, it’s there in plain sight, in publicly available data, so it surprises me that no one else has come out with it until now. I specifically waited for the Goxless, free market to finally break the ongoing downtrend on its own strength before releasing it. Barring similar shenanigans at other exchanges (looking at you China) I think this means we may be at a “fair” valuation now, and that this knowledge will not hurt the price all that much. Hopefully, price can rise at a more controlled pace as more and more good news comes out; it will be much better for Bitcoin as a technology than the crazy volatility and outrageous valuations we’ve seen last year.

*Update 26-05*

I’d meant to disable commenting, but apparently that’s not possible with free WordPress, and comments have gotten stuck in “awaiting moderation”. Since I felt bad for the people who took the time to comment on the article I cleared them and opened commenting.

I want to start off by saying I agree with a lot of the criticism on this article that’s appeared the Web; my conclusions were a bit too opinionated and perhaps exaggerated, and didn’t really fit the tone of the rest of the report, which was intended to be an objective account of my findings. I’ve corrected that with this update. Still, I stand by the most significant conclusion made: Willy was the cause for the November bubble. Sure, it didn’t do it all by itself, but it was the catalyst, and prevented price from coming down by effectively removing all selling pressure with its extremely constant buying (why market sell when you can place an ask order, and know it will be eaten into anyway?). In financial markets, sentiment is driven by price, much more so than the other way around. People see price skyrocketing, get euphoric, forget all the negative and assume the asset must be something absolutely amazing for people to place so much value in it (that, or they see an opportunity to “get rich quick”). It gets media attention, and sparks this whole positive feedback loop thing. A classic bubble in every way, really; but something has to light the fire, and subsequently prevent it from petering out.

Some people have argued BTC China was in fact leading the market, because its price was always higher than Mt. Gox’s. This is just a personal opinion, but I think price has little to do with who is leading or not; it’s all about who makes the first move (breaking some resistance on large volume, or whatever, if Technical Analysis is your thing). If market X happened to be just a little more eager to buy than market Y, or had less ask liquidity (which I believe was the case for BTC China), prices will naturally reach a higher point than market Y. For the July-November period: on a minute scale, for every single large move (think the 15,000 coins bought on July 28th, for example), Mt. Gox was always, always, the first mover. BTC China seemed to react within 1 or 2 minutes, sometimes leading to a higher proportional rise in price, sure, but it was NEVER the first mover. In my eyes, this means Mt. Gox and not BTC China was leading the market.